Legislation is one of those things that often seems like a good idea at the time. This act could provide valuable guidelines for IoT security--but it could also add unnecessary complexity to the compliance and IT department. And some experts say it may not go far enough to be of real value.

The current bill asks vendors that sell internet-connected devices to the government to ensure that their products are patchable. While that's a good start, it doesn't include consumer devices, leaving them vulnerable, noted Jim Hunter, chief scientist and technology evangelist at Greenwave Systems.

"So far, the only penalty for device-makers who prioritize getting a product to market without basic security features is bad PR," he said. "Legislation can enforce what device-makers should already be doing."

The elements of successful legislation

At the very least, Hunter said, any IoT security legislation needs to be shaped around existing security standards, such as changeable passwords, mandatory vulnerability patching, the ability to detect suspicious access attempts, and plans to minimize damage should an attack occur. "These standards are reasonable requirements that are in line with engineering protocols that other manufacturing disciplines follow."

The US could take some cues from Europe--in particular, the European Union's General Data Protection Regulation (GDPR), slated for enforcement next year. "With GDPR, the European government sets a good example by putting an emphasis on protecting its citizens' privacy and data," said Gorav Arora, data protection CTO at Gemalto. "Similar legislation is needed in the US, and the massive Equifax breach might be the watershed moment."

Of note is that the Federal Trade Commission (FTC) did issue a set of IoT security guidelines after the notorious Jeep hack a few years ago. The thoroughness of the guidelines could help mitigate security risks for those involved in working with IoT devices, and if IT departments start now, they can get a jump on any regulations that might come into play later, Arora said.

IoT devices continue making inroads in the business world, so organizations should have a defined IoT structure in place to ensure that data and operations are properly secured. These guidelines cover the procurement, usage, and administration of IoT devices, whether provided by the company or employee owned. Free for Tech Pro Research subscribers.

Legislation may not be a panacea

However, even the best intentions from legislation may not be enough. "It's difficult to impossible to legislate security," said Sean Sullivan, security advisor at F-Secure. Laws and regulations are rarely future-proof, and general regulations require an agency to enforce them. The government is already overburdened with agencies, he said.

Sullivan believes that the IoT Cybersecurity Improvements Act of 2017 and associated legislation, which requires security for IoT providers to the government, might be a step in the right direction. "If the government wants to affect IoT security, then the US and other governments should use their purchasing power to reward vendors that live up to certain standards--and to ban government purchases of those that do not," he said.

Overall, though, legislation may do more harm than good, said Richard Henderson, global security strategist at Absolute. "Forcing IoT device manufacturers, especially smaller ones or startup companies, to adhere to some nebulous set of rules is likely to have a deleterious effect on the technology." He said it would drive up costs for both the manufacturers and the consumers, whether those consumers are enterprise or not. In addition, legislation often moves slowly much more slowly than technology develops.

But Henderson also said that most companies are already on top of IoT security. That self-regulation may be more valuable than anything passed by a governing body, although the EU seems to be taking the lead. "If the majority of tech companies out there can get ahead of the game and show they're taking secure development and long-term support of IoT devices seriously, maybe governments won't need to step in."

The takeaway for now is that legislation may help in the short term to secure IoT devices. However, for truly comprehensive guidelines, it may be up to industry associations to set standards, as legislative bodies are often slow to act. The EU may be on the right track, and the Internet of Things Cybersecurity Improvements Act of 2017 may also foster a more secure IoT environment. But legislators must be careful not to pass burdensome laws that could stifle innovation.

Topics

More From Tech Pro Research

Kubernetes enables the deployment, scaling, and management of containerized applications. This ebook explains why the ecosystem matters, ways to take advantage of it, and how it may contribute to the ...

As more and more employees request the opportunity to perform some or all of their work from a remote location, the need has grown for organizations to have clearly defined guidelines that govern empl...

Finding the best data analytics software, services, and tools for your business requires extended research and a systematic evaluation of features. This download includes an overview of factors to con...

Design flaws in modern chip design have emerged as a significant threat to the security of data on PCs and mobile devices. This comprehensive ebook delves into two prominent vulnerabilities—Spectre an...

Selecting the right VPN provider for your needs requires a fair bit of legwork because the choices are many and the offerings vary greatly. This quick-glance chart rounds up 15 of the top contenders a...

5G: The next-generation wireless network is finally a reality, and businesses remain eager to embrace this new technology. 5G will be popularized via telecom carriers and the marketing of wire-cutting...

The Internet of Things is delivering data and helpful insights to organizations around the world--but it has also introduced new and potentially devastating vulnerabilities. This ebook offers a compre...

Employees, data, and resources are three of the biggest assets in any organization. All employees should be familiar with the processes for recovering information if it becomes lost, inaccessible, or ...

Choosing a CRM solution requires strategy, thoughtful consideration, and more than a little research. These guidelines and comparison tool provide a customizable framework your business can use to fin...

This pre-packaged presentation contains everything you need to get end users up-to-speed fast about how to use Microsoft PowerPoint -- even if you don't consider yourself a public speaker. It includes...

Numerous studies indicate that personal e-mail use at work is a leading cause of lost productivity. In addition, personal e-mail use can introduce viruses and Trojan programs that aid hackers' attempt...

The organization is subject to data retention requirements resulting from a mix of legal, industry, and business mandates. These data retention requirements govern the storage of the organization's in...

This pre-packaged presentation contains everything you need to instruct end users about how to get the most out of Microsoft Access--even if you don't consider yourself a public speaker. It includes a...

Your organization is subject to a mix of strict legal, ethical, and self-imposed mandates that protect all of the organization's information, records, and data from improper, inappropriate, illegal, a...

This policy provides guidelines for the regulated and secure usage of portable storage devices. Its goal is to protect the organization and its employees from internal and external threats and to prov...

This pre-packaged presentation contains everything you need to instruct end users about how to the most out of the Internet and Internet Explorer--even if you don't consider yourself a public speaker...

Computer games--including those installed from floppy disks, USB "thumb" drives, CDs, DVDs, or accessed online or as part of any massive, multiplayer network--present numerous risks to an organization...

The Harness the Full Power of Windows XP presentation is a prepackaged solution for basic Windows XP training. This pre-packaged presentation contains everything you need to instruct end users about h...

This pre-packaged presentation contains everything you need to get end users up-to-speed fast about how to use Microsoft PowerPoint -- even if you don't consider yourself a public speaker. It includes...

Numerous studies indicate that personal e-mail use at work is a leading cause of lost productivity. In addition, personal e-mail use can introduce viruses and Trojan programs that aid hackers' attempt...

The organization is subject to data retention requirements resulting from a mix of legal, industry, and business mandates. These data retention requirements govern the storage of the organization's in...

This pre-packaged presentation contains everything you need to instruct end users about how to get the most out of Microsoft Access--even if you don't consider yourself a public speaker. It includes a...

Your organization is subject to a mix of strict legal, ethical, and self-imposed mandates that protect all of the organization's information, records, and data from improper, inappropriate, illegal, a...

This policy provides guidelines for the regulated and secure usage of portable storage devices. Its goal is to protect the organization and its employees from internal and external threats and to prov...

This pre-packaged presentation contains everything you need to instruct end users about how to the most out of the Internet and Internet Explorer--even if you don't consider yourself a public speaker...

Computer games--including those installed from floppy disks, USB "thumb" drives, CDs, DVDs, or accessed online or as part of any massive, multiplayer network--present numerous risks to an organization...

The Harness the Full Power of Windows XP presentation is a prepackaged solution for basic Windows XP training. This pre-packaged presentation contains everything you need to instruct end users about h...